CI_COMMIT_TAG_MESSAGE includes PGP signature when using signed tags

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Summary

The new variable CI_COMMIT_TAG_MESSAGE seems to also include the PGP signature when using signed tags. I expected this to only include the message.

Steps to reproduce

Just add a signed tag and print the variable, in our example we used the release feature. The PGP signature is visible in the description of the newly created release.

release_job:
  stage: .pre
  image: registry.gitlab.com/gitlab-org/release-cli:latest
  rules:
    - if: $CI_COMMIT_TAG
  script:
    - echo "Running the release job."
  release:
    tag_name: $CI_COMMIT_TAG
    name: $CI_COMMIT_TAG
    description: $CI_COMMIT_TAG_MESSAGE

Example Project

What is the current bug behavior?

The CI_COMMIT_TAG_MESSAGE includes body and PGP.

Some message

-----BEGIN PGP SIGNATURE-----
...
-----END PGP SIGNATURE-----

What is the expected correct behavior?

The CI_COMMIT_TAG_MESSAGE includes only the body and no PGP.

Some message

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

I'm not sure this is related, but it seems. The following git command gives a similar result (as the bug):

git tag -l v1.0.0 --format='%(body)'

While the more specific contents:body leaves out the PGP signature:

git tag -l v1.0.0 --format='%(contents:body)'

Technical Proposal

  • Let the message field include the tag message without the signature.
  • If required Modify Gitaly tag proto to include as a seperate signature field.
  • Above two changes will require changes to Gitaly repository. Fix in review via gitaly!5286 (closed)
  • On Rails side there will be no change required.
  • Supporting PGP signature on Rails for signed tags is already tracked in existing issue #19260

Roadmap

  • For gitlab.com, once gitaly!5286 (closed) is merged and deployed the fix should work.
  • For on-premise moving to Gitaly 15.9 once available should fix the problem.
Edited by 🤖 GitLab Bot 🤖